From owner-freebsd-bugs@FreeBSD.ORG  Thu Sep 20 17:40:04 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2DA8B1065674
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 20 Sep 2012 17:40:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id E23CF8FC20
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 20 Sep 2012 17:40:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8KHe3KT049791
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 20 Sep 2012 17:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8KHe3O0049790;
	Thu, 20 Sep 2012 17:40:03 GMT (envelope-from gnats)
Resent-Date: Thu, 20 Sep 2012 17:40:03 GMT
Resent-Message-Id: <201209201740.q8KHe3O0049790@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D55CA106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 20 Sep 2012 17:38:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 918478FC16
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 20 Sep 2012 17:38:52 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q8KHccsV029450
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Sep 2012 17:38:38 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q8KHccbI029449;
	Thu, 20 Sep 2012 17:38:38 GMT (envelope-from nobody)
Message-Id: <201209201738.q8KHccbI029449@red.freebsd.org>
Date: Thu, 20 Sep 2012 17:38:38 GMT
From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: bin/171815: run_file in atrun does not allocate enough space for fmt
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 17:40:04 -0000


>Number:         171815
>Category:       bin
>Synopsis:       run_file in atrun does not allocate enough space for fmt
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 20 17:40:03 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy Huddleston Sequoia
>Release:        HEAD
>Organization:
Apple Inc
>Environment:
OS X
>Description:
src/libexec/atrun/atrun.c does the following:

static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
..
    char mailbuf[MAXLOGNAME], fmt[49];
..
    snprintf(fmt, sizeof(fmt),
	"#!/bin/sh\n# atrun uid=%%ld gid=%%ld\n# mail %%%ds %%d",
                          MAXLOGNAME - 1);
..

The problem is that the string being written is can be more than 48 characters long.  Indeed if MAXLOGNAME is 255, we need 50 bytes to hold the string.

This results in atrun erring out on systems where MAXLOGNAME > 100.
>How-To-Repeat:

>Fix:
Index: atrun.c
===================================================================
--- atrun.c	(revision 3476)
+++ atrun.c	(working copy)
@@ -123,7 +123,7 @@
     pid_t pid;
     int fd_out, fd_in;
     int queue;
-    char mailbuf[MAXLOGNAME], fmt[49];
+    char mailbuf[MAXLOGNAME], fmt[64];
     char *mailname = NULL;
     FILE *stream;
     int send_mail = 0;


>Release-Note:
>Audit-Trail:
>Unformatted: